X-Git-Url: https://iankelling.org/git/?p=automated-distro-installer;a=blobdiff_plain;f=fai%2Fconfig%2Fdistro-install-common%2Fend;h=57b71159f62352228b8f53f28fb0b3ae89e138f8;hp=bc4e816bad77d2e36f3e88548421a1f71a474eed;hb=9fefba0a7ad0f7d9cac32b81f960ae8828de2a66;hpb=7f77555b3d92709034fe41919358053c650c71e1 diff --git a/fai/config/distro-install-common/end b/fai/config/distro-install-common/end index bc4e816..57b7115 100755 --- a/fai/config/distro-install-common/end +++ b/fai/config/distro-install-common/end @@ -4,82 +4,108 @@ set -eE -o pipefail trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR if [[ $EUID != 0 ]]; then - echo "$0: error: expected to be root." - exit 1 + echo "$0: error: expected to be root." + exit 1 fi -TPW=/q/root/shadow/traci-simple -if ifclass tp; then - ROOTPW="$TPW" -else - ROOTPW=/q/root/shadow/standard +# ssh host keys +# note, $BASH_SOURCE is not defined here under fai. + +src=$(dirname "$0")/p/c/machine_specific/$HOSTNAME/filesystem/etc/ssh +dst=$target/etc/ssh +if [[ -e $src && -e $dst ]]; then + # outside of fai context or setting up a brand new host, we skip this + cp -rT $src $dst +fi + +USER2PW=/q/root/shadow/user2 +# if doesn't exist, we dont set one +ROOTPW=/q/root/shadow/standard +if [[ ! -e $ROOTPW ]]; then + ROOTPW=/q/root/shadow/$HOSTNAME fi chpw() { - # generating a hashed password: - # under debian, you can do - # mkpasswd -m sha-512 -s >/q/root/shadow/standard - # On arch, best seems to be copy your shadow file to a temp location, - # then passwd, get out the new pass, then copy the shadow file back. - - user=$1 - pwfile=$2 - if [[ $pwfile && -e $pwfile ]]; then - printf "$user:" | cat - "$pwfile" | $ROOTCMD chpasswd -e - else - echo "$0: warning: no pw set for $user" >&2 - fi + # generating a hashed password: + # under debian, you can do + # mkpasswd -m sha-512 -s >/q/root/shadow/standard + # On arch, best seems to be copy your shadow file to a temp location, + # then passwd, get out the new pass, then copy the shadow file back. + + user=$1 + pwfile=$2 + if [[ $pwfile && -e $pwfile ]]; then + printf "$user:" | cat - "$pwfile" | $ROOTCMD chpasswd -e + else + echo "$0: warning: no pw set for $user" >&2 + fi } -au() { # add user - if ! $ROOTCMD getent passwd ${@: -1}; then - $ROOTCMD useradd -m -s /bin/bash $@ - fi +au() { # add user. i don't use adduser for portability + local user=${@: -1} + if ! $ROOTCMD getent passwd $user; then + $ROOTCMD useradd -c $user -Um -s /bin/bash $@ + fi } chpw root "$ROOTPW" -# 9 = user already exists. so we are idempotent. -au ian -chpw ian "$ROOTPW" -au traci +# only setup root pass for bootstrap vol +if ifclass VOL_BULLSEYE_BOOTSTRAP; then + exit 0 +fi + + +# return of 9 = user already exists. so we are idempotent. +au iank +chpw iank "$ROOTPW" + +au user2 if ifclass frodo; then - chpw traci "$TPW" + chpw user2 "$USER2PW" fi -# comparing ian's groups to traci, I see none she should join on arch -$ROOTCMD usermod -a -G traci ian +# comparing iank's groups to user2, I see none she should join on arch +$ROOTCMD usermod -a -G user2 iank + +$ROOTCMD getent group docker &>/dev/null || $ROOTCMD groupadd -r docker +$ROOTCMD usermod -a -G docker iank # based on unison error, with 8192 from # sysctl -a | grep fs.inotify.max_user_watches #http://stackoverflow.com/questions/535768/what-is-a-reasonable-amount-of-inotify-watches-with-linux - f=$target/etc/sysctl.d/99-sysctl.conf key=fs.inotify.max_user_watches if [[ -e $f ]]; then sed -ri --follow-symlinks "/^\s*$key\s*=/d" $f; fi -echo "fs.inotify.max_user_watches = 1000000" >> $f +echo "fs.inotify.max_user_watches = 50000" >> $f # applies it. it would be also be applied after a reboot $ROOTCMD sysctl --system -f=$target/etc/sudoers -line='ian ALL=(ALL) NOPASSWD: ALL' -if [[ ! -e $f ]] || ! grep -xF "$line" $f; then - echo "$line" >> $f -fi - +cat >$target/etc/sudoers.d/ianksudoers <<'EOF' +Defaults timestamp_timeout=1440 +# used in bashrc +Defaults env_keep += SUDOD +# always_set_home +# makes ubuntu be like debian +# https://unix.stackexchange.com/a/91572 +Defaults always_set_home +# umask: default setting is to have minimum umask of 0022 +# This lets us have user-specific umasks which are more permissive. +# I did this for transmission and set it's umask gecos on install, +# see there for more info. +Defaults !umask +# i use sudo in cronjobs, it spams the logs rather uselessly +# https://stackoverflow.com/questions/14277116/suppress-log-entry-for-single-sudo-commands +Defaults:root,iank !log_allowed, !pam_session +# for just the root user, set some env vars +Defaults>root env_file=/etc/rootsudoenv +EOF -dir=/p/c/machine_specific/$HOSTNAME/.unison -$ROOTCMD mkdir -p $dir -if ! $ROOTCMD test -L /root/.unison; then - $ROOTCMD rm -rf /root/.unison - $ROOTCMD ln -s -T $dir /root/.unison +# remove old config line. can be removed eventually. +f=$target/etc/sudoers +line='iank ALL=(ALL) NOPASSWD: ALL' +if grep -qxF "$line" $f; then + sed -i "/^$line/d" $f fi -$ROOTCMD chown -R 1000:1000 $dir -while true; do - $ROOTCMD chown 1000:1000 $dir - $ROOTCMD chmod 700 $dir - dir=$(dirname $dir) - if [[ $dir == /p ]]; then break; fi -done -au -s /bin/false --home-dir /var/lib/bitcoind bitcoin +au --system -s /bin/false --home-dir /var/lib/bitcoind bitcoin